UK-based service desk providing email and telephone support 08:00 - 18:30. Additional support hours are available on request. We have a managed SLA which we report on monthly.

Each customer is assigned both an ITIL service manager and a customer account manager.

We encourage a close working relationship with our locally-based support staff. All of our support staff are experienced technicians who have detailed knowledge of eCase and our customers. Our support team is the single point of contact for both software and technical support issues.

We’re proud of our record on customer satisfaction and achieved 100% customer satisfaction in our service delivery in a survey undertaken by an external agency that interviewed representatives from all our customers.

Support available to third parties

Yes

Onboarding and offboarding

Onboarding and offboarding

Getting started

ECase has a comprehensive integrated help system. The eCase team provide onboarding assistance to customers. Classroom training is available as well as desk-side and online/remote training.

Service documentation

Yes

Documentation formats

HTML

PDF

End-of-contract data extraction

Data extract is provided in XML format.

End-of-contract process

All user accounts are cancelled. Customer data is provided in an XML format and permanently removed from the application after confirmation of receipt.

Using the service

Using the service

Web browser interface

Yes

Supported browsers

Internet Explorer 8

Internet Explorer 9

Internet Explorer 10

Internet Explorer 11

Microsoft Edge

Firefox

Chrome

Safari 9+

Opera

Application to install

No

Designed for use on mobile devices

Yes

Differences between the mobile and desktop service

ECase is a responsive web application designed to work across all screen sizes. All functionality is available on the desktop and mobile service and the layout is optimised for both.

Accessibility standards

WCAG 2.0 AA or EN 301 549

Accessibility testing

Manual accessibility checking conducted by a team of disabled individuals using a range of adaptive technologies (hardware and software designed to facilitate the use of computers by people with disabilities), this includes:

NVDA: screen reader and application used by those who are blind.ZoomText: a magnification application used by those with low vision.JAWS: a screen reader used by blind people to access Web pages.Dragon Naturally Speaking: voice activated software used by those that do not use a conventional input device such as a keyboard or mouse..Switch Access: used by those with severe mobility impairments to input commands to a computer.Keyboard Only: some users with mobility impairments have difficulty making precise movements required by pointing devices such as a mouse; therefore a keyboard is used as the exclusive input device.Readability: Manual checks to assess the suitability of a Web page for those with colour blindness and dyslexia.Deaf/Hard of hearing: Manual checks to assess the suitability of a web page for those with hearing impairments.Learning difficulties: Manual checks to assess the suitability of a web page for those with learning difficulties.

API

Yes

What users can and can't do using the API

API to create cases automatically, facilitating integration with customer website or contact us form.Scanner API to create cases from barcode scanned documents. API to download cases from the Houses of Parliament Q&A feed. ADFS(SAML) APIs for single sign-on.Google Suite integration APIs are also available.

API documentation

Yes

API documentation formats

HTML

ODF

PDF

API sandbox or test environment

Yes

Customisation available

Yes

Description of customisation

Some customisation can be made through the management interface by privileged users. More complex customisation can be carried out through a service request.

Scaling

Scaling

Independence of resources

ECase is deployed on a scalable, virtualised infrastructure utilising best of breed application load balancing and proactive monitoring.

Database servers are physically separated.

Analytics

Analytics

Service usage metrics

Yes

Metrics types

Service level performance in line with Service Level Agreement including response times, number of tickets and time to resolution.Storage usage graphs, security metrics such as failed login attempts, virus detection etc.

Reporting types

Regular reports

Resellers

Resellers

Supplier type

Not a reseller

Staff security

Staff security

Staff security clearance

Other security clearance

Government security clearance

Up to Security Clearance (SC)

Asset protection

Asset protection

Knowledge of data storage and processing locations

Yes

Data storage and processing locations

United Kingdom

User control over data storage and processing locations

No

Datacentre security standards

Complies with a recognised standard (for example CSA CCM version 3.0)

Penetration testing frequency

At least once a year

Penetration testing approach

‘IT Health Check’ performed by a CHECK service provider

Protecting data at rest

Physical access control, complying with another standard

Data sanitisation process

Yes

Data sanitisation type

Explicit overwriting of storage before reallocation

Deleted data can’t be directly accessed

Equipment disposal approach

A third-party destruction service

Data importing and exporting

Data importing and exporting

Data export approach

Data can be extracted via spreadsheet (.csv, .xlsx). Full data exports are provided in XML format.

Data export formats

CSV

Other

Other data export formats

XML

XSL

Data import formats

CSV

Other

Other data import formats

XML

Data-in-transit protection

Data-in-transit protection

Data protection between buyer and supplier networks

TLS (version 1.2 or above)

Data protection within supplier network

TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience

Guaranteed availability

99.9% availability. This is backed by a comprehensive Service Level Agreement and a monthly service report to the customer. Service credits can be provided.

Approach to resilience

ECase is deployed on a fully resilient infrastructure with failover servers at the primary site.

A geographically separate datacentre provides disaster recovery capability in case of an outage to the primary site. See the eCase service definition for full information.

Outage reporting

Email alerts and service management updates provided by your dedicated customer service manager.

Identity and authentication

Identity and authentication

User authentication needed

Yes

User authentication

2-factor authentication

Identity federation with existing provider (for example Google Apps)

Limited access network (for example PSN)

Username or password

Access restrictions in management interfaces and support channels

Access to management functions is restricted to user accounts with the relevant privileges as determined by the customer.

Access restriction testing frequency

At least every 6 months

Management access authentication

2-factor authentication

Identity federation with existing provider (for example Google Apps)

Limited access network (for example PSN)

Username or password

Audit information for users

Audit information for users

Access to user activity audit information

Users have access to real-time audit information

How long user audit data is stored for

At least 12 months

Access to supplier activity audit information

Users have access to real-time audit information

How long supplier audit data is stored for

At least 12 months

How long system logs are stored for

At least 12 months

Standards and certifications

Standards and certifications

ISO/IEC 27001 certification

Yes

Who accredited the ISO/IEC 27001

The British Assessment Bureau

ISO/IEC 27001 accreditation date

02/08/2018

What the ISO/IEC 27001 doesn’t cover

Please contact the certifier for further information on exact scope

ISO 28000:2007 certification

No

CSA STAR certification

No

PCI certification

No

Other security certifications

Yes

Any other security certifications

Independently accredited by government departments

Cyber Essentials Plus

Security governance

Security governance

Named board-level person responsible for service security

Yes

Security governance certified

Yes

Security governance standards

ISO/IEC 27001

Information security policies and processes

We maintain a HMG IAS 1&2 compliant RMADS document set and SyOPs which implements the ISO27001 principles. This is independently reviewed by an external CLAS consultancy on an annual basis and is accredited by a central government accreditor.

An annual IT Health Check is carried out by CHECK registered Pen Test company.

Operational security

Having worked with the UK public sector for 10 years we have a comprehensive and rigorous approach to configuration and change management based on our solid ISO9001 and ITIL principles.

All source code is managed and version controlled and changes are linked to feature requests or service incidents.

Changes are run through a three-step internal testing and validation process before being released to a customer test environment for acceptance testing. Except in emergency circumstances, changes are not released to live without customer approval.

The eCase environment is proactively enforced with a weekly vulnerability scan which automatically raises any new threats to the security manager.

An annual ITHC penetration test is carried out by CHECK approved third-party. Any vulnerabilities Medium or above are fixed as soon as practicable.

The environment is patched on a weekly basis and critical patches are released as soon as practicable.

Protective monitoring type

Supplier-defined controls

Protective monitoring approach

ECase is monitored through a series of tools and processes aligned in part with recommendations from CESG document GPG13 (Protective Monitoring for HMG ICT Systems) and, in particular, Protective Monitoring Controls (PMC 1-12). This includes checks on time sources, status of backups and others. Alerts raised are sent to our service desk for prompt investigation following our event management procedures.